dridex | e88df4131fdd98a0b85a2b9d25e7772767d4629c64ac2af981fa6d23132df183

General

Target

6f1137c2ea734e22e0224e97c063e7f7_JaffaCakes118.dll
Size

1.3MB
MD5

6f1137c2ea734e22e0224e97c063e7f7
SHA1

b5e75a87e673e2951bae329aaca82a6cc3890dd0
SHA256

e88df4131fdd98a0b85a2b9d25e7772767d4629c64ac2af981fa6d23132df183
SHA512

aacc73ce0eb9846248effeb16bb3937480f2a06406b34ec3fe21be50c1ff6c5753dc4444da681884c39c3c05f5fd3ab31cab421626e967797670e21a722f6df6
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

p2phost.exep2phost.exeSystemPropertiesRemote.exe

pid process

288 p2phost.exe
2828 p2phost.exe
540 SystemPropertiesRemote.exe
Loads dropped DLL 7 IoCs

Processes:

p2phost.exep2phost.exeSystemPropertiesRemote.exe

pid process

1200
288 p2phost.exe
1200
2828 p2phost.exe
1200
540 SystemPropertiesRemote.exe
1200

pid	process
288	p2phost.exe
2828	p2phost.exe
540	SystemPropertiesRemote.exe

pid	process
1200
288	p2phost.exe
1200
2828	p2phost.exe
1200
540	SystemPropertiesRemote.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\NBZUQR~1\\p2phost.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

p2phost.exep2phost.exeSystemPropertiesRemote.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
3016	regsvr32.exe
3016	regsvr32.exe
3016	regsvr32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2660	1200	p2phost.exe
PID 1200 wrote to memory of 2660	1200	p2phost.exe
PID 1200 wrote to memory of 2660	1200	p2phost.exe
PID 1200 wrote to memory of 288	1200	p2phost.exe
PID 1200 wrote to memory of 288	1200	p2phost.exe
PID 1200 wrote to memory of 288	1200	p2phost.exe
PID 1200 wrote to memory of 2000	1200	p2phost.exe
PID 1200 wrote to memory of 2000	1200	p2phost.exe
PID 1200 wrote to memory of 2000	1200	p2phost.exe
PID 1200 wrote to memory of 2828	1200	p2phost.exe
PID 1200 wrote to memory of 2828	1200	p2phost.exe
PID 1200 wrote to memory of 2828	1200	p2phost.exe
PID 1200 wrote to memory of 2912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 2912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 2912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 540	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 540	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 540	1200	SystemPropertiesRemote.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6f1137c2ea734e22e0224e97c063e7f7_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\nXE\p2phost.exe
C:\Users\Admin\AppData\Local\nXE\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:288

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\jVP5JhM\p2phost.exe
C:\Users\Admin\AppData\Local\jVP5JhM\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Gi6IX\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\Gi6IX\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:540

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Gi6IX\SYSDM.CPL
Filesize
1.3MB

MD5
a8ba73058249840154998a1d7f25c117

SHA1
b7bddb80038d8df01c7604f1d6211cb395f70467

SHA256
4c43f148c65d8849700c52b50206590379b1c1c2903e892e602f0844efa1cd36

SHA512
b46a486fa72879d045db33428d779c1f57ec0ccc4639648595f9c0ac3f3059db4d3b291e347564314d448c203097750ec744bd46d4a2e326904d9e232751e016

Download Submit
C:\Users\Admin\AppData\Local\jVP5JhM\P2PCOLLAB.dll
Filesize
1.3MB

MD5
226a8d0e4ba0bda1e061bcb8aa305617

SHA1
c107aeeaadba6fbc18eb0531cf78abf86e952dc8

SHA256
cf529714bad96945431a9b3bd6cb151173b97a185e25a76689b64c6a89c8c933

SHA512
a47585a798d8271e872262de21c6619928470ed64d3a24c33a305aaf5f198f11c29532496b119e72ea0429cc5165f75ac657baff0b66e7cbff38a5e26ee88f73

Download Submit
C:\Users\Admin\AppData\Local\nXE\P2P.dll
Filesize
1.3MB

MD5
fc5859cdbc7731bfc42be87689849957

SHA1
26ea64038c53c2e63c1eb0ec77339dc11faa2982

SHA256
92bad8d7693e0c6fd04a01d75dffa9d9f1754d9678dfdca2be9915a622b09873

SHA512
8b3a4de0ca57eb3ec444243cc9c6135a643aa92c857ecdd24644ee6d5a409928de3308825756a8d780b50d4664497a92946bc9986b97d32aaa8037cd1446141d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
Filesize
1KB

MD5
6632fc31908f1980757666aae6f88c70

SHA1
8a1199e65acda7581a1618e7a8e84ed38dea6c06

SHA256
5f873ffa4783bc93b5f8fbcef9fe984456bc525c48ad51538fb5db8a82c68586

SHA512
75fac39957f108eff551b9c62817563f5ea96e463a32744d530b82dc9bbe2704457d69f2b33c175dd977473411f29ee1183497f71f2a43bcb079b2b89b280d6f

Download Submit
\Users\Admin\AppData\Local\Gi6IX\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\nXE\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/288-60-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/288-57-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/288-54-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/540-96-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1200-28-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1200-26-0x0000000002B30000-0x0000000002B37000-memory.dmp

Filesize
28KB

Download
memory/1200-14-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-13-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-12-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-11-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-10-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-9-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-37-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-38-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-4-0x0000000076B36000-0x0000000076B37000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-27-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1200-5-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1200-15-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-16-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-65-0x0000000076B36000-0x0000000076B37000-memory.dmp

Filesize
4KB

Download
memory/1200-7-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1200-8-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2828-76-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2828-79-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-0-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3016-46-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3016-3-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads